CVE-2022-48422: 
ONLYOFFICE DocumentServer vulnerability analysis and mitigation

ONLYOFFICE Docs through version 7.3 on certain Linux distributions contains a privilege escalation vulnerability (CVE-2022-48422). The vulnerability allows local users to gain elevated privileges by exploiting a Trojan horse libgcc_s.so.1 library placed in the current working directory, which can be any directory containing an ONLYOFFICE document (NVD, MITRE).

The vulnerability stems from ONLYOFFICE's library loading behavior, where it searches for and attempts to load libraries from the current directory before checking traditional library locations. When opening a document, the application tries to load libgcc_s.so.1 from multiple locations, including the current working directory, before loading it from system directories like /lib64. This behavior creates a security hole that can be exploited through a malicious library file (ONLYOFFICE Forum).

The vulnerability allows an attacker to execute arbitrary code with the privileges of the user who opens the document. By placing a malicious version of libgcc_s.so.1 (or other libraries) in the same directory as a document, the attacker can have their code loaded and executed when a user opens any ONLYOFFICE document in that directory (ONLYOFFICE Forum).

The vulnerability has been fixed in versions after 7.3. Users should upgrade to the latest version of ONLYOFFICE Docs to mitigate this security risk. The fix prevents the application from loading libraries from the current working directory before system directories (ONLYOFFICE Forum).

The vulnerability was initially reported on the ONLYOFFICE forum in December 2022, and the development team acknowledged and tracked it as bug report number 60244. The fix was implemented in February 2023, as confirmed by subsequent testing (ONLYOFFICE Forum).